11 October, 2012

How can you set up RMS-based protection to the documents users store in SharePoint?

You can use Windows Rights Management Services (RMS) to protect SharePoint documents in the two most recent releases of SharePoint; SharePoint Server 2010 and SharePoint Server 2007 both include RMS support. However, there are some restrictions and complexities you should be aware of if you plan to set up RMS with your SharePoint installations.

An important thing to know is that RMS can only encrypt SharePoint documents and subject them to RMS access control restrictions when they are downloaded from a SharePoint 2010 or SharePoint 2007 document library. RMS doesn't leave SharePoint documents encrypted while they're stored on the SharePoint server. This restriction exists so that SharePoint can index and scan the documents on a SharePoint storage provider. RMS applies its restrictions to a document only right before it's downloaded to a client computer. Similarly, when an RMS-protected document is uploaded to a SharePoint site, RMS removes all protection from the document until a new download request is received.

SharePoint-RMS integration ensures that security restrictions are enforced even after a document has left a SharePoint server, which is something that can't be achieved using the standard SharePoint permissions. SharePoint-RMS integration also automatically enforces an organization's RMS document security policies. A SharePoint administrator can centrally define different RMS policies for the document libraries hosted on a SharePoint server. Therefore, individual users don't have to decide what protection they need to apply to documents they post in SharePoint libraries. RMS permissions are defined at the SharePoint document library level: Documents in a library automatically inherit the library's RMS permissions. This protection applies to both existing and new documents in the SharePoint library.

The RMS protection of SharePoint data is, just like the RMS protection that's bundled with Windows and Microsoft Office, only possible for certain file formats. Out of the box, it supports Word, Excel, PowerPoint, InfoPath, and XPS files. Extensions to apply RMS protection to other file formats (e.g., .pdf, .cad) can be added through special software from Microsoft partners such as Liquid Machines (now part of Check Point Software Technologies) and GigaTrust.

RMS support for SharePoint can be set up using either RMS SP2 or RMS V2, which is bundled with Windows Server 2008. Provided you already have a functioning RMS infrastructure, enabling RMS protection in SharePoint is relatively straightforward. The main configuration actions are
  • enabling RMS support on the SharePoint server
  • setting the actual RMS restrictions in the configuration of a given document library
You can enable RMS support in SharePoint by selecting either the Use the default RMS server specified in Active Directory or Use this RMS server option in the Information Rights Management section of the SharePoint Central Administration\Operations configuration section.

To set RMS restrictions on a SharePoint document library you must use the Information Rights Management section in the Permissions and Management configuration section of the document library. When you select the Restrict permission to documents in this library on download check box, you can further refine the RMS protection as follows:
  • Allow users to print documents.
  • Enforce users to verify their credentials every x number of days. This setting can be useful when someone who has access to RMS-protected confidential data leaves your organization; the individual will retain access to the data only for x days after his or her last successful authentication to an RMS server.
  • Reject files that don't support Microsoft Information Rights Management (IRM). Selecting this option results in SharePoint rejecting the upload of document formats that don't support RMS.
  • Remove RMS protection on a particular date. This setting is useful for publishing company financial results, for instance. After the quarterly results are published, the RMS protection policy on the quarterly results SharePoint library automatically changes -- meaning that the RMS restrictions are removed.
Microsoft provides more detailed guidance on how to set up SharePoint-RMS integration in the article "Deploying Windows Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide," which is available from Microsoft's website.

Courtesy: www.sharepointpromag.com

08 October, 2012

Error: Spdesign.exe has been denied access to or there is no server on port 443 at .

Today one of my client reported with an issue while browseing some of the SharePoint sites using designer. Accessing sites using SharePoint gives the below error messages. 

Error: Spdesign.exe has been denied access to

Clicking Ok produces another error message as below.

Error: There is no server on port 443 at . You have selected the Connect using SSL Option. This connections problem may indicate that the server does not support Secure Socket Layer (SSL) communications, or that it uses SSL communications on a different port number.

I was clue less for the issue at the start since the sites were browseable using https//….. Protocol. So I started the troubleshooting based on the troubleshooting related to NIC card, VPN connection suspicion, SSL port disability (prompting for making calls server at 443 ports) from windows firewall. 

Tried to compare the SPD versions on the different machine where it was working not working and didn’t found any issue.

Tried to clear SPD Cache clearance by using the following steps:

1. Close SharePoint Designer.

2. Open My Computer.

3. Go to %System Drive%\Documents and Settings\%user%\Local Settings\Application Data\Microsoft\WebSiteCache. 

4. Delete all folders and files there.

5. Open the site using SPD and we still has the issue. 

On further checking for proxy used by SharePoint designer I noticed that actual issue was related to the wrong proxy usage with Designer.

The proxy was not configuring to make connection to the server using Secure Socket Layer at port 443. By changing the proxy settings in Designer we were able to access all of the sites using designer.

Steps to change Proxy using Designer. 

1. Open SharePoint Designer. 

2. Go to tools -> Application Options.

3.On General tab choose to click Proxy Settings. And change the proxy with is configured to use the SSL over http protocol. 

By changing the proxy for the client, we were able to open the sites from the SharePoint Designer. 

Note: This Proxy settings can also be configured via IE and you may be prompted to provide credentials to open the site for the first time in Designer. 

If you have any issue or query please do let me know, I would be more happy to help you answer.

Contributor Settings in SharePoint Designer

Client was unable to open a site in SharePoint Designer after the activation of the SharePoint Designer on his site.

He is not admin of that site or may not have proper permissions to make changes to site using SPD.

- You may be able to open the site on your machine using SPD.
- While trying to open the site using SPD on the client machine you get message “Site is not allowed for editing using SPD”.
- You also notice that a small Icon at bottom right side of the SPD console with “Contribute Authentication”.
- It says the user who is trying to access the site is not a Site manager and has contribute rights to edit the site.

- Being Site Administrators, you can disable the use of contribute settings from the sites.
- To do that, open SPD console -> Sites -> contribute settings -> Under Advance tab -> Click Disable Contributor Settings.

Contributor Settings is not a security feature. Contributor mode is a limited access mode for users who open and edit SharePoint sites in Office SharePoint Designer 2007. Contributor mode is designed to be used in an environment where site managers are confident of their users’ intentions. Contributor mode helps to guide users in a particular direction to carry out their tasks, and this guidance prevents accidental changes to the Web site.

Absolute SharePoint Links, can be used for page shortcuts

These absolute SharePoint links to any site just in case the pages are hidden or you need to move through them in quick navigation.

Site Level 
Site settings Page /_layouts/settings.aspx
Web Parts Maintenance Page /default.aspx/?contents=1
Master page /_Layouts/ChangeSiteMasterPage.aspx
Title, description and icon /_layouts/prjsetng.aspx
Navigation /_layouts/AreaNavigationSettings.aspx
Page layouts and site templates /_Layouts/AreaTemplateSettings.aspx
Welcome page /_Layouts/AreaWelcomePage.aspx
Tree view /_layouts/navoptions.aspx
Site Themes /_layouts/themeweb.aspx
Reset to site definition /_layouts/reghost.aspx
Searchable columns /_Layouts/NoCrawlSettings.aspx


Site Content types /_layouts/mngctype.aspx
Site Columns /_layouts/mngfield.aspx
Site Templates /_catalogs/wt/Forms/Common.aspx
List Templates /_catalogs/lt/Forms/AllItems.aspx
Web Parts /_catalogs/wp/Forms/AllItems.aspx
Workflows /_layouts/wrkmng.aspx

Create Site /_layouts/newsbweb.aspx
New Site Content Type /_layouts/ctypenew.aspx
Site Usage Report /_layouts/usageDetails.aspx
Recycle Bin /_layouts/RecycleBin.aspx
Site Collection Recycle Bin /_layouts/AdminRecycleBin.aspx